Score:1

Server

IIS returning empty body with 200 response for certain URLs

piemanji

5/11/24, 9:05 AM

I have a really strange issue on IIS, where any URLs containing certain keywords (e.g., card, bet, loan, jewelry) return a blank page. It's a 200 response with IIS headers in-tact, but the response body is empty.

This applies to all sites on the server, and I've tried setting up a small test site with two files: index.html and card.html - index works fine, but card does exactly the same thing as above. So it's not an application issue.

The request is logged by IIS, and claims to be returning a non-0 number of bytes. If I set up a custom response header that gets through just fine. This happens if I visit the site directly on the server, too. So there doesn't seem to be a firewall blocking it. Something is just deleting the response body.

I've set up Failed Request Tracing - I don't know exactly what I'm looking for in there but I can't see any obvious errors.

There are no custom IIS modules (all under %windir% or the System namespace). There are no Request Filtering rules (other than the standard disallowed list of file extensions and .NET hidden segments).

I'm completely stumped! If anyone has come across anything similar, or knows of any programs which might do this, or has any idea of what to try next, I would love to hear!

460

1 + 11

iis

Jaromanda X

5/11/24, 9:28 AM

have you tried other browsers? perhaps it's the browser that is failing

piemanji

5/11/24, 9:30 AM

Thanks. Yes I've tried Chrome and Firefox, on the server and on my machine, and also tested with Postman and get the same issue

Jaromanda X

5/11/24, 9:35 AM

`claims to be returning a non-0 number of byte` so, you've confirmed that a client gets zero bytes? any headers at all in the response? is there anything "between" IIS and the clients? (some sort of caching proxy for example)

piemanji

5/11/24, 9:57 AM

Yes client gets 0 bytes, but does receive server headers. In my minimal example with the HTML files I added a custom header and that was returned. I'm assuming there *is* something between IIS and the client, but I'm struggling to see where this is. I think it must be on the server as otherwise I wouldn't be seeing the issue when browsing the site on the server itself (the host is pointing at 127.0.0.1 in the hosts file).

Jaromanda X

5/11/24, 10:02 AM

is there a content-length header?

piemanji

5/11/24, 10:08 AM

Yes, the response has a content-length header value of 0

Jaromanda X

5/11/24, 10:22 AM

I can't recall what IIS logs show, perhaps the length you see is the headers

piemanji

5/11/24, 10:32 AM

That's true. So that means it could be some module within IIS causing the issue, rather than an external application/service.

piemanji

5/11/24, 10:34 AM

I've just confirmed, the sc-bytes value is equal to the size Postman gives for the response - suggesting that IIS is not returning the response body. Could Failed Request Tracing be used to figure out where the response is being altered?

piemanji

5/11/24, 10:50 AM

@JaromandaX I was able to find the offending module, called HTTPCacheLog, which was actually some malware that had been installed despite the innocuous name. Thanks so much for your help debugging this.

Greg Askew

5/30/24, 10:24 AM

Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server)

Score:1

Server

piemanji

5/11/24, 10:57 AM

The issue turned out to be a piece of malware which had installed itself as an IIS module named HTTPCacheLog. I removed the module (and deleted the DLL in the inetsrv folder) and everything is working again now.

+ 2

Lex Li

5/14/24, 7:17 AM

Unfortunately seeing one piece of malware on a machine is usually an indicator of being hacked and more pieces are there (or will be there). So, removing this piece alone does not really bring the server back to healthy. Please hire a security professional to show you what's the right approach.

piemanji

5/16/24, 8:27 AM

@LexLi Thank you for your concern :) I have taken appropriate steps to deal with the wider issue. I think this still answers the original question as to why IIS was returning a blank 200 response for certain keywords, and hopefully will help others narrow it down more quickly than I was able to.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: IIS returning empty body with 200 response for certain URLs

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.